DOE Cyber-Security Audit Shows Incident Reporting, Management Hurdles

DOE Cyber-Security Audit Shows Incident Reporting, Management Hurdles

An audit of the Department of Energy's Cyber Security Incident Management Program found that duplicative efforts and the inconsistent reporting of cyber incidents are challenging security management.

Released earlier this month, the audit by the DOE's Office of Inspector General paints a picture of an agency in need of a unified cyber-security management strategy as it works to deal with these issues. Among the report's findings was that independent, partially duplicative incident-management capabilities exist and are costing more than $30 million a year. In particular, the department's Joint Cybersecurity Coordination Center (JC3) provided response and advisory services and maintained supporting computer forensics and assistance in investigating and preserving cyber evidence even as at least two other organizations performed similar functions.

In addition, the audit found that cyber-security incidents were not consistently identified or reported to the JC3 as required. For example, 91 of 223 reported incidents at seven sites were not reported within the required time frames. Ten incidents involving the loss of personally identifiable information were reported up to 15 hours after discovery, as opposed to the 45 minutes required by policy. In some cases, the incident reports did not contain "essential information" such as the date and time an incident occurred and the number of machines affected, ultimately meaning the information provided to law enforcement agencies and the U.S. Computer Emergency Readiness Team (US-CERT) was incomplete, the report said.

"In the absence of an effective enterprise-wide cyber-security incident-management program, a decentralized and fragmented approach evolved that placed the department's information systems and networks at increased risk of compromise," according to the report. "The department's current reporting and cyber incident management structure also increases the risk that it will be unable to satisfy both internal and external response and reporting requirements."

Former US-CERT Director Mischel Kwon said the report is not as bad as it may seem, and instead illustrates an agency working to address operational and structural issues.

"They have hit the very top problems that I think every organization is struggling with today," said Kwon, who is now president and CEO of Mischel Kwon Associates.

The reporting of incidents is not always clear-cut, she added, noting that in the past the information people were asked to report was based on Federal Information Security Management Act (FISMA) requirements as opposed to sharing information to address advanced persistent threats.

"If you look at the US-CERT incident response numbers for last year, you might chuckle a little bit," she said. "If you look at them for the past 10 years, you may think that's nowhere near the volume of incidents I would expect in this large a landscape."

DOE Cyber-Security Audit Shows Incident Reporting, Management Hurdles

Some of that, Kwon said, has to do with the maturity level of security operation centers, while it also relates to the way incidents are reported.

The audit appears to back that up, at one point stating that "the reporting instructions developed by JC3 lacked detail and were subject to interpretation as to the definition of a reportable incident, which contributed to problems we identified related to reporting. In particular, sites were inconsistent when making determinations as to what constituted a reportable incident."

Government reporting and accountability of compromises, incidents and loss of protected networked knowledge remain disjointed and inadequate, according to Sean Bodmer, chief researcher at security vendor CounterTack.

The biggest issues are not the incident responders in the trenches who want to honestly do their jobs, but almost always one of the typical political or policy challenges that "plague the Information Assurance and Security professionals working for and in the U.S. government," he said.

"The underlying issue is still within an overarching mandate that requires each independent site and dispersed teams to report incidents in a timely fashion or be fined in some way," said Bodmer. "Without the proper level of authority to enforce reprimands of offending organizations, the JC3 will continue to have the reoccurring issues."

The audit makes several recommendations to address the issues it uncovered, starting with the development of an enterprise-wide cyber-security incident-management program that establishes clearly defined lines of authority and responsibility, eliminates duplicative efforts, and requires all departmental elements—including the National Nuclear Security Administration (NNSA)—to contribute to a unified program that ensures a timely response.

According to the audit, the DOE and the NNSA management agreed with the findings of the report and stated that corrective actions will be taken. "Although these findings are alarming from a budgetary and security perspective, it appears DOE management is moving in the right direction," said Dave Pack, director of labs for LogRhythm.

According to the Management Comments memorandum, the department has begun transforming its incident-management program, which specifies recommendations of the audit and more, Pack noted.

"When implementing a program of this scale, it will be important to choose tools and technologies that can effectively collect and normalize large amounts of different types of data from disparate locations to ensure a centralized body can efficiently analyze, identify and report security incidents according to department-wide policies," said Pack.